Visualização normal

Antes de ontemStream principal
  • ✇Firewall Daily – The Cyber Express
  • FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE Ashish Khaitan
    A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited. The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers.  One of the vulnerabilities, CVE-2026-21643, stems fro
     
  • ↗️

FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE

✇Firewall Daily – The Cyber Express
Por:Ashish Khaitan
7 de Abril de 2026, 03:26

FortiClientEMS

A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited. The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers.  One of the vulnerabilities, CVE-2026-21643, stems from an improper neutralization of special elements in SQL commands, commonly referred to as a SQL Injection flaw (CWE-89). This weakness exists within the administrative interface of FortiClientEMS, allowing unauthenticated attackers to send specially crafted HTTP requests and execute unauthorized code or commands. 

Critical SQL Injection Flaw in FortiClientEMS (CVE-2026-21643) 

Security researchers have confirmed that this SQL Injection issue is not just theoretical. It has already been observed being exploited in real-world attacks, increasing the urgency for mitigation. Because the flaw does not require authentication, attackers can directly target exposed systems, making it a particularly dangerous entry point.  In terms of affected versions, FortiClientEMS 7.4.4 is vulnerable and requires an upgrade to version 7.4.5 or later. Versions 8.0 and 7.2 are not affected by this issue. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet’s Product Security team. The initial advisory was published on February 6, 2026, with a subsequent clarification removing FortiEMS Cloud from the affected products list. 

Improper Access Control Vulnerability (CVE-2026-35616) 

The second major flaw, CVE-2026-35616, involves improper access control (CWE-284) in FortiClientEMS. This vulnerability enables attackers to bypass API authentication and authorization mechanisms, again allowing unauthenticated execution of arbitrary code or commands through crafted requests.  Like the SQL Injection flaw, CVE-2026-35616 has also been confirmed to be actively exploited in the wild. The potential impact is severe, as successful exploitation could lead to a complete compromise of the FortiClientEMS server.  The vulnerability was officially published on April 4, 2026, and later added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) Catalog on April 6, 2026. CISA noted that such vulnerabilities are frequently used by malicious actors and pose significant risks, particularly to federal enterprise environments. 

Government and Industry Response 

The Cyber Security Agency of Singapore (CSA) issued an alert on April 6, 2026, warning of the active exploitation of CVE-2026-35616 in FortiClientEMS deployments. The advisory noted the critical nature of the vulnerability and urged organizations to take immediate action.  According to the alert, “successful exploitation of this vulnerability could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests, potentially resulting in a full compromise of the FortiClient EMS server.” The agency also reiterated that exploitation activity has already been observed in the wild. 

Affected Versions and Mitigation Steps 

The improper access control vulnerability CVE-2026-35616 affects FortiClientEMS versions 7.4.5 through 7.4.6. Organizations using these versions are advised to apply the available hotfix immediately and upgrade to version 7.4.7 or later once it becomes available.  Fortinet has provided specific guidance for applying fixes through its official release notes for versions 7.4.5 and 7.4.6. The company has indicated that the upcoming FortiClientEMS 7.4.7 release will include a permanent fix, while the currently available hotfix is sufficient to fully mitigate the issue in the interim.  For CVE-2026-21643, upgrading from version 7.4.4 to 7.4.5 or above resolves the SQL Injection vulnerability. 
  • ✇Security Affairs
  • Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution Pierluigi Paganini
    Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection. A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited. Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform. “Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Expl
     
  • ↗️

Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution

✇Security Affairs
Por:Pierluigi Paganini
30 de Março de 2026, 07:43

Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.

A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.

Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.

“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.

🚨 Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data

Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj

— Defused (@DefusedCyber) March 28, 2026

In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Below are the affected versions:

VersionAffectedSolution
FortiClientEMS 8.0Not affectedNot Applicable
FortiClientEMS 7.47.4.4Upgrade to 7.4.5 or above
FortiClientEMS 7.2Not affectedNot Applicable

In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.

Despite not yet appearing in major exploited lists, real-world attacks have already been observed.

Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).

In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

  • ✇SOC Prime Blog
  • CVE-2026-21643: Critical FortiClient EMS Vulnerability Enables Unauthenticated Remote Code Execution Daryna Olyniychuk
    Shortly after our recent coverage of high-impact FortiOS SSO zero-day exploitation (CVE-2026-24858), defenders are facing another urgent patching priority in the Fortinet ecosystem. On February 6, Fortinet released a fix for a critical SQL injection flaw that can be triggered remotely and doesn’t require authentication, potentially leading to unauthorized code or command execution.  Although there are currently no signs of exploitation in the wild, CVE-2026-21643 requires immediate attention an
     
  • ↗️

CVE-2026-21643: Critical FortiClient EMS Vulnerability Enables Unauthenticated Remote Code Execution

✇SOC Prime Blog
Por:Daryna Olyniychuk
10 de Fevereiro de 2026, 12:53
CVE-2026-21643 SQL Injection Vulnerability in FortiClient EMS

Shortly after our recent coverage of high-impact FortiOS SSO zero-day exploitation (CVE-2026-24858), defenders are facing another urgent patching priority in the Fortinet ecosystem. On February 6, Fortinet released a fix for a critical SQL injection flaw that can be triggered remotely and doesn’t require authentication, potentially leading to unauthorized code or command execution. 

Although there are currently no signs of exploitation in the wild, CVE-2026-21643 requires immediate attention and patching as SQL injection remains one of the most dangerous web vulnerability classes. OWASP Top 10 2025 links Injection to 62,445 known CVEs, including more than 14,000 SQL injection issues. The risk is straightforward. If an application lets untrusted input reach the database interpreter, an attacker can make the database run unintended commands, steal or change data, and, in some cases, escalate to full system compromise.

Sign up for the SOC Prime Platform to access real-time detection intelligence and ready-to-go use cases for emerging risks like vulnerability exploitation. Click Explore Detections to view the full collection of rules filtered by the “CVE” tag.

Explore Detections

All rules are compatible with multiple SIEM, EDR, and Data Lake platforms and are mapped to the MITRE ATT&CK® framework. Each rule includes CTI links, attack timelines, audit settings, triage guidance, and more relevant metadata.

Cyber defenders can also use Uncoder AI to empower their detection engineering workflows. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.

CVE-2026-21643 Analysis

On February 6, 2026, Fortinet released an advisory describing CVE-2026-21643 as an improper neutralization of special elements used in an SQL Command (SQL Injection) in FortiClient EMS, where a remote attacker can send specially crafted HTTP requests to trigger the flaw. Because the issue is pre-auth, an exposed or reachable EMS administrative interface becomes a high-value target for initial access, potentially leading to rapid foothold establishment, follow-on tooling, and lateral movement from a system that often has broad visibility into endpoints. 

CVE-2026-21643 obtains a critical CVSS score of 9.8, highlighting the urgent need for patching. The good news for defenders is that the scope is clear. Fortinet’s advisory highlights that only FortiClientEMS 7.4.4 is affected and that upgrading to 7.4.5 or later addresses the issue, while 7.2 and 8.0 are not impacted.

Enhancing proactive cybersecurity strategies is crucial for reducing exploitation risk. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform for enterprise-grade cyber defense, organizations can scale detection operations and strengthen their security posture. Register now to improve visibility into threats most relevant to your business and to accelerate response when new critical threats like CVE-2026-21643 appear.

FAQ

What is CVE-2026-21643 and how does it work?

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClientEMS 7.4.4. The issue is caused by improper handling of special characters in SQL commands, so a remote attacker can send specially crafted HTTP requests and potentially execute unauthorized code or commands.

When was CVE-2026-21643 first discovered?

Fortinet has released an advisory describing CVE-2026-21643 on February 6, 2026, which is also the day when the vulnerability was recorded by NVD. Gwendal Guégniaud from the Fortinet Product Security team has been credited for discovering and reporting the flaw.

Which risks does CVE-2026-21643 pose to systems?

The main risk is remote compromise of the FortiClient EMS server. If a vulnerable EMS instance is reachable, an attacker can abuse the SQL injection through crafted HTTP requests to run unauthorized actions and potentially escalate to code or command execution. This can lead to data access or tampering, service disruption, and a foothold that can be used to pivot deeper into the environment.

Can CVE-2026-21643 still affect me in 2026?

Yes, if you are running FortiClient EMS 7.4.4 and have not applied the fix. Fortinet states the issue is resolved in 7.4.5 and later, and notes that 7.2 and 8.0 are not affected.

How can you protect against CVE-2026-21643?

Upgrade FortiClient EMS to 7.4.5 or later and limit access to the EMS web interface to trusted admin networks only. Until patching is complete, increase monitoring on the EMS host and its web traffic for unusual requests and unexpected process activity.



The post CVE-2026-21643: Critical FortiClient EMS Vulnerability Enables Unauthenticated Remote Code Execution appeared first on SOC Prime.

  • ✇Security Affairs
  • Critical Fortinet FortiClientEMS flaw allows remote code execution Pierluigi Paganini
    Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in. Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1). The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via speci
     
  • ↗️

Critical Fortinet FortiClientEMS flaw allows remote code execution

✇Security Affairs
Por:Pierluigi Paganini
9 de Fevereiro de 2026, 17:54

Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in.

Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).

The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Below are the affected versions:

VersionAffectedSolution
FortiClientEMS 8.0Not affectedNot Applicable
FortiClientEMS 7.47.4.4Upgrade to 7.4.5 or above
FortiClientEMS 7.2Not affectedNot Applicable

The company did not disclose whether the vulnerability is currently being actively exploited in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiClientEMS)

❌
❌